By NHI Mgmt Group Editorial TeamPublished 2026-04-27Domain: Governance & RiskSource: Elisity

TL;DR: Credential abuse remains the dominant initial access path, used in 22% of breaches, while compromised-credential incidents now take an average of 246 days to identify and contain, according to Verizon DBIR 2025 and IBM’s 2025 breach study. That makes lateral movement prevention an architectural problem, not a tooling afterthought, especially as AI agents multiply identity complexity.


At a glance

What this is: This is an architectural analysis of how lateral movement control is being reshaped by credential abuse and the arrival of AI agents on shared endpoints.

Why it matters: It matters because IAM, PAM, and NHI programmes now have to separate humans, service accounts, and AI agents within the same trust boundary without assuming any of them are inherently safe.

By the numbers:

👉 Read Elisity’s analysis of preventing lateral movement in the age of AI agents


Context

Lateral movement is what happens after an attacker or rogue process gets a foothold and starts moving through systems that were never meant to trust each other by default. In identity terms, the problem is not just initial access, but how far a compromised identity can travel once it has valid credentials, network reach, or overprivileged access.

The article argues that this is now an architecture problem for Zero Trust, IAM, PAM, and NHI programmes at the same time. The emergence of AI agents on endpoints adds another identity layer that security teams must separate, govern, and constrain without relying on human-paced review cycles alone.


Key questions

Q: How should security teams reduce lateral movement once credentials are already inside the environment?

A: They should focus on internal reach, not just authentication. The effective controls are identity-based segmentation, privilege reduction, and mediation of east-west traffic so a valid credential cannot fan out across the network. If the attacker can still talk to many systems after the first login, the environment has preserved the blast radius instead of shrinking it.

Q: Why do AI agents make lateral movement harder to contain?

A: AI agents add more runtime identities to the same endpoint and can act faster than human review cycles. That creates more chances for shared trust, overbroad permissions, and unclear accountability. The risk is not simply automation, but the multiplication of executors that can reuse access and extend internal reach before teams notice.

Q: What breaks when organisations rely on network location instead of identity for internal access control?

A: Location-based control breaks because internal systems still trust anything on the right subnet or inside the right segment. Once a credential is stolen, the attacker can exploit that assumption to move laterally. Identity-aware control is needed because it ties reach to the actor, not the address.

Q: Who is accountable when a compromised service account or AI agent moves laterally?

A: Accountability sits with the organisation that assigned the access and failed to constrain it. The right question is whether the identity was given more reach than its task required, and whether the programme had enough segmentation and governance to limit the resulting blast radius. That is the control failure leaders must own.


Technical breakdown

Why lateral movement survives inside Zero Trust environments

Lateral movement persists when organisations treat Zero Trust as a detection posture rather than a containment architecture. NIST SP 800-207 assumes every access request is untrusted until verified, but that only works if the architecture actively limits east-west reach, service account privilege, and device-to-device trust. Most breaches do not require exotic exploits once the attacker has valid credentials, because the internal environment often contains too many allowed paths. The real failure is not authentication alone, but the combination of broad reach, standing access, and weak segmentation.

Practical implication: map internal trust paths first, then remove or mediate the ones that let a single credential move laterally across the environment.

AI agents on endpoints change the identity separation problem

The article’s AI agent example matters because it changes the number of identities operating on one endpoint and the speed at which they act. A human user, a service account, and multiple AI agents can now coexist on the same device, which means identity separation can no longer depend on user presence or manual review. For IAM and NHI governance, that raises a structural problem: authorisation decisions must distinguish among actors that share infrastructure but not intent. Without that separation, the endpoint becomes a collision point for human, machine, and agentic access.

Practical implication: classify and isolate each non-human executor on shared endpoints before you expand privileges or automation.

Microsegmentation and proxy mediation are the containment layer

Microsegmentation limits which identities can talk to which assets, while proxy mediation adds a policy enforcement point between the caller and the target. In the article’s framing, legacy and unpatchable devices are dangerous not because they exist, but because too many other identities can still reach them. That is why identity-based network controls matter more than simple address-based filtering. They turn reachability into an access decision, which is the right control plane for environments where device patching is slow or impossible.

Practical implication: place unpatchable or high-value assets behind identity-aware segmentation and mediation, not just network ACLs.


Threat narrative

Attacker objective: The attacker aims to convert a single valid foothold into broad internal reach, enabling deeper compromise, persistence, and eventual exfiltration or disruption.

  1. Entry occurs through credential abuse, which remains the dominant way adversaries gain a foothold inside enterprise environments.
  2. Escalation follows when the attacker or malicious process uses standing access, service accounts, or shared trust paths to move beyond the first system.
  3. Impact emerges as lateral movement expands the blast radius, extending dwell time, privilege reuse, and the number of systems exposed to compromise.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Preventing lateral movement is no longer a detection problem, it is an identity architecture problem. Once an attacker or rogue workload gets inside, the enterprise is already negotiating with its own trust model. The decisive question is which identities can still reach what, and whether those reach paths were designed for containment or convenience. Security leaders should treat lateral movement as a design constraint on IAM, PAM, and NHI programmes, not as a downstream incident response metric.

Single-user endpoint thinking breaks when multiple AI agents share the same runtime. The old assumption was that one human operator sat behind one device and one set of credentials. That assumption fails when AI agents act as additional runtime identities on the same machine, because access can no longer be interpreted as belonging to one executor. The implication is that identity separation, authorisation, and accountability all need to be rethought for mixed human, machine, and agentic execution.

Identity-based microsegmentation is becoming the practical control plane for east-west containment. Network boundaries alone do not express who is allowed to speak to a device or service once credentials are stolen. Segmentation tied to identity, privilege, and mediation gives organisations a way to reduce blast radius without pretending the internal network is inherently trusted. Practitioners should view this as a control for limiting movement, not as a substitute for credential hygiene or least privilege.

Zero Trust programs fail when they stop at trust language and never reach enforcement scope. The article’s architecture-first framing is a reminder that assume-breach is not the same as stop-breach. If the environment still allows broad internal reach after authentication, then the programme has preserved the very pathways adversaries use. Security teams should measure success by how much internal movement they have actually removed, not by how well the policy deck reads.

From our research:

What this signals

Identity-based lateral movement control will become a programme-level requirement, not a network special case. As AI agents, service accounts, and human users share more runtime surface area, the separation problem shifts from theory to operations. Teams that do not distinguish actor classes in their access design will struggle to prove containment after a foothold appears.

With 88.5% of organisations saying their non-human IAM practices lag behind or merely match their human IAM efforts, the gap is structural. That lag matters here because lateral movement control depends on stronger governance for machine and agent identities than many programmes currently have. The next phase of Zero Trust will be measured by whether it constrains internal reach for non-human actors as tightly as it does for people.

Why existing IAM models fail here is simple: they were built for access grants, not movement control. Teams should expect more pressure to pair identity governance with segmentation, mediation, and runtime visibility. The practical test is no longer whether an identity can authenticate, but whether it can still travel after authentication is complete.


For practitioners

  • Map east-west trust paths by identity class Inventory which human users, service accounts, and AI agents can reach each internal asset, then identify where those paths were granted for convenience rather than necessity.
  • Separate AI agents from human users at the control plane Treat agents as distinct runtime identities with their own policy boundaries, logging, and least-privilege scopes instead of letting them inherit the user’s full access context.
  • Enclave unpatchable devices behind mediated access Place legacy, FDA-locked, or otherwise unpatchable assets behind identity-aware segmentation and proxy enforcement so that only explicitly allowed identities can reach them.
  • Test containment with lateral movement simulations Run exercises that assume a valid credential is already present and measure how far it can move before segmentation, mediation, or privilege boundaries stop it.

Key takeaways

  • The article’s core argument is that lateral movement is an architecture problem, not a tool problem.
  • Credential abuse, standing privilege, and shared endpoint identity create the conditions that let attackers expand inside the environment.
  • Security teams need identity-aware segmentation and runtime separation for humans, service accounts, and AI agents if they want real containment.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207), NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST Zero Trust (SP 800-207)3.3The article centers on continuous verification and east-west containment.
NIST CSF 2.0PR.AC-4The topic is about limiting access paths and privilege reach inside the environment.
NIST SP 800-53 Rev 5AC-6Least privilege is the central control principle behind the containment argument.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementCredential abuse and internal movement are the primary threat behaviours discussed.
OWASP Non-Human Identity Top 10NHI-03The post deals with non-human identity reach, privilege, and containment risk.

Map exposed credentials and reachable internal paths to Credential Access and Lateral Movement tactics.


Key terms

  • Lateral Movement: Lateral movement is the process of moving from one compromised system or identity to other systems inside the same environment. In identity programmes, it reveals where trust, privilege, or segmentation still allows an attacker to expand after the first foothold.
  • Identity-Based Microsegmentation: Identity-based microsegmentation is the practice of limiting east-west connectivity according to the identity of the caller and the target, not just network position. It is the operational control that lets security teams reduce blast radius when credentials, services, or agents are already inside the perimeter.
  • Runtime Identity: Runtime identity is the identity an executor uses while acting in a live environment, including a human user, service account, workload, or AI agent. For autonomous or mixed environments, it matters because multiple executors can share the same endpoint while still requiring separate policy boundaries.

What's in the full article

Elisity's full article covers the architectural detail this post intentionally leaves at the strategy level:

  • A deeper walkthrough of Andy Ellis’s zero trust framing for stopping lateral movement in practice
  • Discussion of the VPN-and-proxy enclaving pattern for legacy and unpatchable devices
  • More detail on identity-based microsegmentation as a containment layer for east-west traffic
  • Additional context on how AI agents change endpoint identity separation and policy design

👉 Elisity’s full post adds the architectural examples, zero trust framing, and AI agent containment discussion.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org